Important! This guide applies only to 3CX Phone System 11, it does not apply to 3CX Phone System 12 since the setup wizard makes the procedure automated now.

This guide describes how to configure 3CX Phone System 11 installed on IIS Web Server with HTTPS / SSL.
It's important to be running 3CX Phone System Version 11 Build 27011 or higher. This guide applies to 3CX Phone System deployments installed on IIS server 7.

An appropriate certificate is required. 3CX Phone System requires end users to be able to verify the server’s identity with the certificate generated. In this case you need to send a certificate request to a known Certificate Authority (CA) such as Thawte, VeriSign or Geotrust or you can obtain a certificate from an online CA – in this example we will use www.cacert.org

The process to have SSL configured for 3CX Phone System is split up into six parts:

  • Part 1: Creating a Certificate Request in IIS WebServer
  • Part 2: Sending the Certificate Request to the Certificate of Authority and Getting Back a Server Certificate
  • Part 3: Completing the Certificate Request in Part 1 by Entering the Server Certificate Provided from the Certificate of Authority in Part 2
  • Part 4: Importing the Root Certificate from the Certificate of Authority on the 3CX Server Machine and any Computer that will Access 3CX MyPhone
  • Part 5: Modifying 3CX MyPhone Web Configuration File for HTTPS to Work
  • Part 6: Creating the HTTPS Binding in IIS Web Server

Part 1: Creating a Certificate Request in IIS Web Server

  1. Access your 3CX Phone System server, choose "Start" > "Administrative Tools" > "Internet Information Services (IIS) Manager".
  2. In IIS Manager, choose your server name.Double Click Server Certificates
  3. In the Features View (the middle pane), double-click the "Server Certificates" option located under the Security heading.Create a certificate request in IIS Server
  4. To begin the process of requesting a new certificate, choose the "Create Certificate Request" option from the Actions pane.Setting Distinguished Name Properties in IIS
  5. In this example, the domain for which we are configuring SSL is voip3.alarm-system.com. In most cases, this has to be a domain. If you want to put an IP Address here, you will need to use an internal certificate of authority.
    The common name should match the fully-qualified domain name for the site. Provide information about your site, making sure to spell out the name of your state and locality correctly. Click "Next" to continue.Cryptographic Properties
  6. The next screen of the wizard asks you to choose a Cryptographic service provider. The default, Microsoft RSA SChannel Cryptography Provider, works well. Select "2048" for the bit lengthClick "Next" to continue.Specify File Name For certificate request
  7. Finally, specify a filename for the certificate request. You will need the contents of this file in the next step, so make sure you know where to find it. In this example, the file name is named “voip3certificaterequest.txt

Part 2: Sending the Certificate Request to the Certificate of Authority and Getting Back a Server Certificate

  1. Now that we have the certificate request, we need to send it to a trusted certificate of authority so the request can be completed. As a result we will get a Server Certificate. If you are using a trusted certificate of authority, follow their online documentation from this point onwards. In this example, we will use CACert to generate the server certificate for our 3CX Phone System server.CACertMainScreen
  2. Open a browser and browse to https://www.cacert.org. Create an account and once activated proceed to click on "Password login" to login.Paste the Certificate Request in CACert
  3. Locate the text file that contains the certificate request generated in Part 1. In our case, we named the file “voip3certificaterequest.txt”. Open the file using a text editor and copy all the contents. Go back to CAcert's site, click on "Server Certificates" > "New" and paste the text copied from the text file. You will notice that the certificate request will contain the common name. Press "Submit" to submit this request.Server Certificate is generated by CA
  4. On the next screen, CACert will generate the Server certificate. Copy the server certificate in it's entirety into a text file and name it “servercertificate.cer”.

Part 3: Completing a Certificate Request in IIS

  1. Now that we have the server certificate which contains the authorized response from the certificate authority we can go back to IIS server to complete the certificate request in IIS. Choose "Start" > "Administrative Tools" > "Internet Information Services (IIS) Manager".
  2. In the IIS Manager, choose your server name.
  3. In the Features pane (the middle pane), double-click the "Server Certificates" option located under the "Security" heading.CompleteServerCertificateRequestIIS
  4. Click "Complete Certificate Request" from the "Actions" pane.SpecifyPathToServerCertificate
  5. Enter the path to the cer file which contains the server certificate response from the previous step – in our example the file was named servercertificate.cer.
  6. Enter a friendly name – this name will be visible in IIS. To keep things simple, enter the domain used for the certificate.CertificateRequestCompleted
  7. You should now see a new certificate in IIS with your domain name, in our case voip3.alarm-system.com.

Part 4: Importing the Root Certificate from the Certificate of Authority on the 3CX Server Machine and any Computer that will Access 3CX MyPhone

Since CA Cert’s root certificate is not shipped with Windows operating systems, we also need to download and install the Root Certificate and Intermediate Certificate. If you are using Thawte, Geotrust or Verisign, you can skip this step.

  1. From https://www.cacert.org/index.php?id=3 download the following:
    Root Certificate (PEM Format) - https://www.cacert.org/certs/root.crt
    Intermediate Certificate (PEM format) - https://www.cacert.org/certs/class3.crt.
    Save these files in a folder on your disk. In our case, the folder is called voip3.alarm-system.com.
  2. Next, "Click Start" > "Run" > Type "MMC" and press "Enter". From File select "Add or remove snap-in".MMCAddCertificates
  3. Select Certificates and click "Add".
  4. On the next screen, select "computer account".
  5. Select local computer, so you access the certificate store on the local computer. Click "Finish".
  6. The selected snap-in is the one displayed on the right side. Press "OK" for MMC to open the Certificates (Local Computer) snap-in.ExpandMMC
  7. The above screenshot shows all the certificates that are installed on the Local computer. Expand the "Certificates" node > "Trusted Root Certification Authorities" > "Certificates".
  8. Click "More" in the "Actions" pane (on the right) and select "All tasks" > "Import".
  9. The import certificate wizard will launch. Click "Next" to proceed.ImportPathToRootCertificate
  10. Click "Browse" and specify the Root certificate which was downloaded in the previous step. In our example, this is named "root.cer".PlaceCertificateInTrustedRootStore
  11. Select the location where you want this certificate to be installed. In our case we want to install this in the "Trusted Root Certification Authorities store". Click "Next" to install the "Root Certificate" in this location.RootCASuccessfullyInstalled
  12. The root CA for CACERT is successfully imported and you will see it in the trusted certificates store in the MMC console.

Part 5: Configuring 3CX MyPhone to Work in HTTPS Mode

3CX MyPhone is a Silverlight application and requires a change to its configuration files, which needs to be done manually.

  1. From the 3CX Phone System Server computer, browse to the <C:\ProgramData\3CX\Data\Http\Interface\MyPhone> directory (where C:/ProgramData is the path to the common application data folder). Locate the file Web or Web.config and open it with a text editor.MyPhoneWebConfigComment
  2. You will need to uncomment a line in this file. Search for 'uncomment the below line for HTTPS to work.'. The next line is the line that needs to be uncommented.MyPhoneWebconfigChangesToEndpoint
  3. After modifications this is how the endpoint line should look:
    <endpoint address="" binding="pollingDuplexBinding" bindingConfiguration=
    "PubSubChunkedBinaryHTTPS" contract="Tcx.Assistant.IAssistPubSub" />
  4. Save and close the file when done.

Part 6: Creating the HTTPS Binding in IIS Web Server

  1. Access IIS Manager, expand Sites and click on 3CX Phone System Web Server.CreatingBindingInIIS
  2. From the Actions pane, select Bindings.Adding a new Binding to a Website in IIS 7
  3. Click on the Add button to add a new binding to the 3CX Main Website.Add Site Binding
  4. Configure the binding with the following options:
    • Type: Select https as the protocol type
    • IP Address: Select the IP Address of the 3CX Phone System Server from the dropdown list together with the port.
    • SSL certificate: Select the SSL Server certificate you would like to use – in this example we will use the one we created – voip3.alarm-system.com
    • Press OK to create this binding.
  5. The new binding will be visible in the Site bindings section.

You can now Access the these 3CX Websites as Follows:

  • Management console: https://voip3.alarm-system.com/management or http://voip3.alarm-system.com:5000/management
  • Web Reports: https://voip3.alarm-system.com/reports or http://voip3.alarm-system.com:5000/reports
  • 3CX MyPhone: https://voip3.alarm-system.com/MyPhone or http://voip3.alarm-system.com:5000/MyPhone

Notes

  • 3CX Wallboard does not support HTTPS.
  • 3CX MyPhone requires the root certificate to be installed on each client computer that needs to access 3CX MyPhone. If you are using Thawte, VeriSign or GeoTrust, the root certificate is shipped with Windows. If you use any other Certificate Authority which does not ship the root certificate with Windows, you will need to repeat Part 4 on all the users' computers which need access to 3CX MyPhone. Failure to do so will cause 3CX MyPhone to work only with Internet Explorer.
  • Alternatively you can use Group Policies to install the root or intermediate certificates on the computers in the domain.